Aave DIVA Wrapper
DIVA
HardhatDeFi
15,000 USDC
View results
Previous Next
Submission Details
Severity: low
Valid

Incorrect Order of Constructor Arguments in `AaveDIVAWrapper` Contract

0xshoonya

Summary

The AaveDIVAWrapper contract's constructor passes arguments to its parent contract AaveDIVAWrapperCore in the wrong order, causing critical initialization issues that affect all interactions with both DIVA and Aave protocols.

Vulnerability Details

The AaveDIVAWrapper contract inherits from AaveDIVAWrapperCore but incorrectly orders the constructor parameters when calling the parent constructor.
AaveDIVAWrapper.sol#L12
Current Implementation:

contract AaveDIVAWrapper is AaveDIVAWrapperCore, ReentrancyGuard {
constructor(address _aaveV3Pool, address _diva, address _owner) AaveDIVAWrapperCore(_aaveV3Pool, _diva, _owner) {}

Expected Implementation in Parent Contract(AaveDIVAWrapperCore):
AaveDIVAWrapperCore.sol#L52

constructor(address diva_, address aaveV3Pool_, address owner_)

The mismatch occurs as follows:

  1. First parameter (_aaveV3Pool) is passed to diva_

  2. Second parameter (_diva) is passed to aaveV3Pool_

This results in:

  • DIVA protocol address being stored as the Aave V3 Pool address

  • Aave V3 Pool address being stored as the DIVA protocol address

Impact

This effectively renders the entire wrapper contract non-functional.

Tools Used

Manual Review

Recommendations

Modify the AaveDIVAWrapper constructor to match the parameter order of the parent contract:

constructor(address _diva, address _aaveV3Pool, address _owner)
AaveDIVAWrapperCore(_diva, _aaveV3Pool, _owner) {}
Updates

Lead Judging Commences

bube Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Constructor arguments mismatch

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.